How to trigger xss with html encoded xss attack vector inside script tags?

5.1k views Asked by At

I am reading the OWASP XSS prevention cheat sheet and got stuck in understanding something:

Why Can't I Just HTML Entity Encode Untrusted Data

HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the encode syntax for the part of the HTML document you're putting untrusted data into. That's what the rules below are all about.

I'm not able to create a working POC, how an html encoded xss attack vector can trigger xss inside the <script> tag

Help me to understand this.

1

There are 1 answers

4
Aplet123 On

HTML encoding refers to replacing < with &lt;, > with &gt;, and & with &amp; (among other replacements). What the paragraph is saying is that this does stop XSS inside a normal tag, for example if you try to inject <script>alert(1)</script> into a p tag, you get:

<p>&gt;script&lt;alert(1)&gt;/script&lt;</p>

which doesn't do anything. However, if the XSS vector goes inside a script tag instead of a p tag, then you can just enter alert(1) and it ends up as:

<script>alert(1)</script>

which causes XSS.